b'Office of Audits and Evaluations\nReport No. AUD-12-010\n\n\nControls Related to the FDIC\xe2\x80\x99s Contract with\nKeyCorp Real Estate Capital Markets, Inc.\n\n\n\n\n                                    July 2012\n\x0c                                      Executive Summary\n\n                                      Controls Related to the FDIC\xe2\x80\x99s Contract with\n                                      KeyCorp Real Estate Capital Markets, Inc.\n                                                                                      Report No. AUD-12-010\n                                                                                                   July 2012\n\nWhy We Did The Audit\nWithin the FDIC, the Division of Resolutions and Receiverships (DRR) has primary responsibility for\nresolving failed FDIC-insured depository institutions, including the liquidation of assets in receivership.\nDuring 2010, DRR undertook an initiative to consolidate the servicing of loans and related assets in\nreceivership with external \xe2\x80\x9cnational\xe2\x80\x9d loan servicers, such as KeyCorp Real Estate Capital Markets, Inc.\n(KeyCorp). As of March 31, 2012, the FDIC had four national loan servicers that collectively serviced\n3,182 assets with a net unpaid principal balance of about $2.04 billion. KeyCorp was the largest of these\nservicers in terms of asset size, servicing $1.23 billion (or 60 percent) of the $2.04 billion.\n\nIn view of the significant role that KeyCorp plays in servicing receivership assets, the Office of Inspector\nGeneral (OIG) conducted a performance audit of controls related to the FDIC\xe2\x80\x99s contract with KeyCorp.\nOur performance audit objective was to assess (1) the extent to which payments made by the FDIC for\nservices provided by KeyCorp were adequately supported and in compliance with contract terms, (2) the\nreliability of selected data used to manage and market assets serviced by KeyCorp, and (3) the adequacy\nof certain controls over sensitive information handled by KeyCorp.\n\n\nBackground\nOn July 26, 2010, the FDIC awarded a contract (referred to herein as \xe2\x80\x9cthe Contract\xe2\x80\x9d) to KeyCorp for the\nservicing of assets (primarily commercial loans) in receivership. Under the terms of the Contract,\nKeyCorp provides a full range of servicing activities, such as maintaining loan files, performing loan\nadministration, loan default management, and collection and cash management services, and assisting, as\nrequested, with asset sale initiatives. As compensation for its services, the FDIC pays KeyCorp various\ntypes of fees, including monthly servicing fees and transaction fees for loan conversion activities, loss\nmitigation efforts such as loan compromises and restructures, and foreclosures. The FDIC also\nreimburses KeyCorp for pass-through costs, such as taxes and insurance, and advances pursuant to loan\ncommitments. As of March 31, 2012, payments to KeyCorp under the Contract totaled almost\n$23 million.\n\nKeyCorp maintains a significant amount of data that are used to support important business decisions\nregarding the management and marketing of assets. Accordingly, it is critical that the data be reliable\n(i.e., accurate, and complete). To help ensure the reliability of this data, DRR has taken various steps,\nsuch as incorporating data quality requirements into the Contract, periodically testing the accuracy of loan\ndata maintained by KeyCorp, and initiating an internal \xe2\x80\x9cLoan Data Structure Project\xe2\x80\x9d in 2011 to help\nensure the accuracy of receivership data captured and maintained by DRR and its contractors.\n\nKey controls for protecting sensitive information handled by KeyCorp include background investigations,\nconfidentiality agreements, risk-level designations for contracts and contractor personnel, subcontractor\napprovals, and contract security provisions. The FDIC\xe2\x80\x99s Division of Administration (DOA), through the\nContracting Officer, works with DRR to ensure that these controls are implemented. Further, the FDIC\nestablished the Outsourced Service Provider Assessment Methodology to provide security oversight of\noutsourced service providers, such as KeyCorp. The methodology considers various security information\nto establish quantifiable risk ratings and, based on those ratings, defines procedures for verifying security\nmeasures and processes. Collectively, the security controls referenced above help to ensure that\ncontractor and subcontractor personnel meet the FDIC\xe2\x80\x99s minimum standards of integrity and fitness and\nthat sensitive information is safeguarded from unauthorized disclosure.\n\n\n                               To view the full report, go to www.fdicig.gov\n\x0c  Executive Summary\n                                     Controls Related to the FDIC\xe2\x80\x99s Contract with\n                                     KeyCorp Real Estate Capital Markets, Inc.\n                                                                                      Report No. AUD-12-010\n                                                                                                   July 2012\n\n\nAudit Results\nThe preponderance of payments made by the FDIC to KeyCorp were adequately supported and were in\ncompliance with the terms of the Contract for the charges that we analyzed. The payment discrepancies\nthat we identified were not material in relation to the total charges that we reviewed and were addressed\nprior to the close of the audit. Notwithstanding these results, the relatively high error rate in our sample\nindicates that a review by DRR of KeyCorp\xe2\x80\x99s billing procedures is warranted. In addition, invoices\nsupporting the charges that we analyzed had been reviewed and approved by DRR prior to payment as\nprescribed by FDIC policy. However, in light of the large volume of charges and associated\ndocumentation, a more risk-based approach for reviewing servicer invoices could promote efficiencies\nand consistency in DRR\xe2\x80\x99s review processes.\n\nDRR has taken a number of steps to ensure the reliability of data used to manage and market assets\nserviced by KeyCorp. However, DRR can achieve greater assurance regarding the reliability of such data\nby establishing and implementing a more structured data quality program that includes such things as\nobjective metrics to measure data reliability, enhanced policies and guidance, and improved contract\nprovisions that address ongoing data reliability.\n\nThe FDIC conducted preliminary security checks and obtained signed confidentiality agreements for all\nof the KeyCorp contractor and subcontractor personnel that we reviewed. However, we identified\ninstances in which background investigations had not been initiated as required by FDIC policy. In\naddition, the risk level designation for the Contract needed clarification. Further, KeyCorp did not obtain\nthe FDIC\xe2\x80\x99s prior written approval before engaging a subcontractor to work on the Contract or include\ncertain security-related provisions in its subcontracts as required by the Contract. Finally, the FDIC was\nworking to apply its Outsourced Service Provider Assessment Methodology to assess security risks and\ncontrols at KeyCorp. Addressing the security control weaknesses identified during the audit will increase\nthe FDIC\xe2\x80\x99s assurance that sensitive information is adequately protected and that contractor and\nsubcontractor personnel satisfy the FDIC\xe2\x80\x99s minimum standards of integrity and fitness.\n\nWe plan to report $12,057 in unsupported questioned costs pertaining to the payment discrepancies\nidentified during the audit in our next Semiannual Report to the Congress. The amount ultimately\ndisallowed by the FDIC may change based on management\xe2\x80\x99s final decision after evaluating the findings\nand recommendations in the audit report.\n\nRecommendations and Corporation Comments\nThe report contains seven recommendations intended to improve controls related to the accuracy and\nreview of KeyCorp\xe2\x80\x99s invoices, the reliability of receivership data, and the safeguarding of sensitive\ninformation. The Directors, DOA and DRR, provided a joint written response, dated June 19, 2012, to a\ndraft of the report. In the response, the Directors concurred with all seven of the report\xe2\x80\x99s\nrecommendations and described completed and planned corrective actions to address the\nrecommendations. As described in the report, DRR and DOA officials clarified actions that will be taken\nto address two of the report\xe2\x80\x99s recommendations subsequent to our receipt of management\xe2\x80\x99s written\nresponse. Further, we provided relevant portions of the draft report to KeyCorp for its review and\ninformal comment. In response, KeyCorp provided us with the status of completed and planned\ncorrective actions to address the issues described in the report. We considered the information provided\nby KeyCorp in finalizing our report.\n\n\n                               To view the full report, go to www.fdicig.gov\n\x0c                                Contents\n                                                                      Page\nBACKGROUND                                                              2\n\nAUDIT RESULTS                                                           6\n\nPayments to KeyCorp                                                     6\n\nControls Related to Data Reliability                                   10\n\nControls Related to Sensitive Information                              13\n\nCORPORATION COMMENTS AND OIG EVALUATION                                17\n\nAppendices\n  1. Objective, Scope, and Methodology                                 18\n  2. Monetary Benefits Terms and Results                               22\n  3. Glossary of Terms                                                 24\n  4. Acronyms                                                          26\n  5. Corporation Comments                                              27\n  6. Summary of the Corporation\xe2\x80\x99s Corrective Actions                   31\n\nTables\n   1. Summary of Assets Serviced by KeyCorp as of March 31, 2012        3\n   2. Summary of Payment Discrepancies                                  7\n   3. Discrepancies in Asset Type and Collateral Type Data Elements    11\n\x0cFederal Deposit Insurance Corporation                                            Office of Audits and Evaluations\n3501 Fairfax Drive, Arlington, Virginia 22226                                         Office of Inspector General\n\n\nDATE:                                       July 3, 2012\n\nMEMORANDUM TO:                              Bret D. Edwards, Director\n                                            Division of Resolutions and Receiverships\n\n                                            Arleas Upton Kea, Director\n                                            Division of Administration\n\n\n                                            /Signed/\nFROM:                                       Stephen M. Beard\n                                            Deputy Inspector General for Audits and Evaluations\n\nSUBJECT:                                    Controls Related to the FDIC\xe2\x80\x99s Contract with KeyCorp\n                                            Real Estate Capital Markets, Inc.\n                                            (Report No. AUD-2012-010)\n\n\nThis report presents the results of our audit of controls related to the FDIC\xe2\x80\x99s contract with\nKeyCorp Real Estate Capital Markets, Inc. (KeyCorp).1 KeyCorp provides nationwide\nservicing of assets (primarily commercial loans)2 in receivership on behalf of the FDIC.\n\nOur performance audit objective was to assess (1) the extent to which payments made by\nthe FDIC for services provided by KeyCorp were adequately supported and in\ncompliance with contract terms, (2) the reliability of selected data used to manage and\nmarket assets serviced by KeyCorp, and (3) the adequacy of certain controls over\nsensitive information handled by KeyCorp. To address our objective, we reviewed\nKeyCorp invoices and supporting documentation, evaluated data reliability controls, and\nassessed contract and oversight controls designed to protect sensitive information.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objective. We believe that the evidence obtained provides\na reasonable basis for our findings and conclusions based on our audit objective.\nAppendix 1 of this report includes additional details regarding our objective, scope, and\nmethodology. Appendix 2 contains monetary benefit terms and results. Appendix 3\ncontains a glossary of key terms, and Appendix 4 contains a list of acronyms.\n\n1\n  KeyCorp is a business unit of KeyBank USA National Association, which is a wholly-owned subsidiary\nof Cleveland, Ohio-based KEYCORP, one of the nation\xe2\x80\x99s largest bank-based financial services companies.\nKeyCorp engages in the origination of agency loans and the servicing of commercial real estate loans for\nothers. The company\xe2\x80\x99s loan servicing business is based in Overland Park, Kansas.\n2\n  Certain terms that are underlined when first used in this report are defined in Appendix 3, Glossary of\nTerms.\n\n\n                                                           1\n\x0cBACKGROUND\nWithin the FDIC, the Division of Resolutions and Receiverships (DRR) has primary\nresponsibility for resolving failed FDIC-insured depository institutions, including the\nliquidation of assets in receivership. During 2010, DRR undertook an initiative to\nconsolidate the servicing of loans and related assets in receivership with external\n\xe2\x80\x9cnational\xe2\x80\x9d loan servicers, such as KeyCorp. As of March 31, 2012, the FDIC had 4\nexternal loan servicers that collectively serviced 3,182 assets with a net unpaid principal\nbalance of about $2.04 billion. KeyCorp was the largest of these servicers in terms of\nasset size, servicing 972 assets totaling $1.23 billion (or 60 percent) of the\n$2.04 billion.\n\nThe KeyCorp Contract\n\nOn July 26, 2010, the FDIC awarded Receivership Basic Ordering Agreement contract\nRECVR-10-G-0171 (referred to herein as \xe2\x80\x9cthe Contract\xe2\x80\x9d) to KeyCorp. Under the terms\nof the Contract, KeyCorp provides a full range of servicing activities for assets in\nreceivership. The Contract has an initial term of 3 years, three separate 2-year option\nperiods, and a 1-year option period, for a total potential period of performance of\n10 years. The FDIC typically awards separate task orders under the Contract for\nindividual receiverships. The task orders identify the specific assets to be serviced by\nKeyCorp. As of March 31, 2012, the FDIC had awarded 101 task orders resulting in\nalmost $23 million in payments to KeyCorp.\n\nKey activities to be performed by KeyCorp under the Contract include:\n\n   \xef\x82\xb7   Maintaining appropriate loan files and performing loan administration, including\n       loan payment processing, escrow maintenance, and advances under unfunded\n       commitments or for collateral protection.\n\n   \xef\x82\xb7   Conducting loan default management, such as monitoring delinquencies and loss\n       mitigation activities, including loan restructures, modifications, compromises, and\n       foreclosures.\n\n   \xef\x82\xb7   Performing collection and cash management services and monthly bank account\n       reconciliations.\n\n   \xef\x82\xb7   Assisting, as requested, with asset sales initiatives and performing services related\n       to owned real estate assets, as needed.\n\n   \xef\x82\xb7   Providing weekly and monthly reports of asset balances and related transactions.\n\n   \xef\x82\xb7   Ensuring the quality and integrity of loan data transferred to KeyCorp.\n\n\n\n\n                                             2\n\x0c    \xef\x82\xb7   Ensuring that all contractor and subcontractor personnel with access to sensitive\n        information are subject to background investigations appropriate to the risk level\n        of the Contract.\n\nAs compensation for its services, the FDIC pays KeyCorp various types of fees,\nincluding a monthly servicing fee that is based on the amount of the unpaid principal\nbalances of the assets being serviced. The Contract defines three different types of loan-\nrelated assets to be serviced\xe2\x80\x94mortgage loans; non-mortgage loans; and judgments,\ndeficiencies, and charge-offs (JDC). Each of these three asset types has its own fee rates.\nFee rates for mortgage loans and non-mortgage loans are dependent on whether the loans\nare performing or non-performing. In addition to monthly servicing fees, the FDIC pays\ntransaction fees for loan conversion activities, loss mitigation efforts such as loan\ncompromises and restructures, and foreclosures. The FDIC also pays fees based on the\nnumber and types of reports that KeyCorp produces. Further, the FDIC reimburses\nKeyCorp for pass-through costs, such as taxes and insurance, and advances pursuant to\nloan commitments. Table 1 describes the types and amounts of assets serviced by\nKeyCorp as of March 31, 2012.\n\nTable 1: Summary of Assets Serviced by KeyCorp as of March 31, 2012\n                                                    Asset Status\n           Type of Asset                 Performing(*)          Non-                Total        Percent\n                                                             Performing\n Commercial Non-Mortgage\n Loans\n   Unpaid Principal Balance (000s)           $19,355           $158,207           $177,562         15%\n                      Asset Count              25                123                148            15%\n Commercial Mortgage Loans\n   Unpaid Principal Balance (000s)          $566,776           $396,372           $963,148         78%\n                      Asset Count             517                272                789            81%\n JDCs\n   Unpaid Principal Balance (000s)             NA               $90,437           $90,437          7%\n                      Asset Count              NA                 35                35             4%\n Total Assets\n   Unpaid Principal Balance (000s)          $586,131           $645,016          $1,231,147       100%\n                      Asset Count             542                430                972           100%\n Source: Office of Inspector General\xe2\x80\x99s (OIG) analysis of data in the KeyCorp Detail Trial Balance Report\n for the month ended March 31, 2012.\n (*)\n     For the purposes of this table, \xe2\x80\x9cperforming\xe2\x80\x9d refers to loans that are less than 91 days past due.\n\nContract Administration and Oversight Management\n\nThe FDIC\xe2\x80\x99s Division of Administration (DOA) has primary responsibility for issuing\npolicies and procedures that govern the Corporation\xe2\x80\x99s contracting program. DOA has\nissued the Acquisition Policy Manual (APM), which defines policies and procedures for\nprocuring goods and services and assigning key roles and responsibilities in all phases of\nthe procurement process. According to the APM, the Contracting Officer (CO) has\noverall responsibility for ensuring compliance with the terms of FDIC contracts and for\nprotecting the FDIC\xe2\x80\x99s interests in its contractual relationships. The CO\xe2\x80\x99s duties include\n\n\n                                                     3\n\x0cthe appointment of an FDIC employee to serve as a contract Oversight Manager (OM) to\nmonitor and evaluate the contractor\xe2\x80\x99s performance. The CO may also appoint one or\nmore Technical Monitors (TM) to assist the OM with contract oversight authorities,\nduties, and responsibilities.\n\nThe CO assigned to the Contact has designated an OM and multiple TMs. The\nresponsibilities of the OM and TMs are defined in formal appointment memoranda issued\nby the CO. The OM\xe2\x80\x99s appointment memorandum states that the OM is responsible for\nsuch things as approving invoices and ensuring that appropriate background\ninvestigations are obtained for contractor and subcontractor personnel. TMs are\nresponsible for receiving and reviewing required reports, participating in periodic\ncontract compliance reviews, and assisting the OM in the evaluation of invoices.\nSeparate TMs have been designated to support critical areas, such as credit, legal, and\naccounting.\n\nAn important aspect of the FDIC\xe2\x80\x99s oversight of KeyCorp is DRR\xe2\x80\x99s periodic reviews to\nassess the company\xe2\x80\x99s overall compliance with the operational and credit-related\nrequirements of the Contract. At the time of our audit, DRR had completed three such\nreviews and made a number of recommendations to improve KeyCorp\xe2\x80\x99s operations. In\naddition, DRR\xe2\x80\x99s Internal Review staff issued a report in July 2011 on the division\xe2\x80\x99s\noversight of external loan servicers. The report concluded that commercial loan servicers\nunder contract with the FDIC, including KeyCorp, were being effectively managed by\nDRR.\n\nData Reliability\n\nKeyCorp maintains a significant amount of data pertaining to receivership assets that are\nused to support important business decisions. Accordingly, it is critical that the data be\nreliable (i.e., accurate and complete). The Government Accountability Office\xe2\x80\x99s (GAO)\nNovember 1999 publication entitled, Standards for Internal Control in the Federal\nGovernment, identifies a number of internal control activities that organizations can\nconsider implementing to promote accurate and complete computer-processed data. Such\ninternal control activities include, for example, data edit checks, verifications, and\nreconciliations. According to the publication, organizations should design and implement\ninternal control activities based on related costs and benefits.\n\nIn 2011, DRR initiated the \xe2\x80\x9cLoan Data Structure Project\xe2\x80\x9d to help ensure the accuracy of\nreceivership data captured and maintained by DRR and its contractors. The project\ninvolves reviewing the definitions and associated business rules for more than 1,100 data\nfields to ensure that they are adequately defined and consistently applied as data flows\nthrough the various DRR business lines. As part of this effort, DRR is working to\nidentify potential duplication and non-essential data elements. Further, because DRR has\nplaced increased reliance on external loan servicers in recent years to collect, manage,\nand report data pertaining to receivership assets, DRR is coordinating with its external\nloan servicers, such as KeyCorp, on the project.\n\n\n\n\n                                            4\n\x0cInformation Security\n\nKey controls for protecting sensitive information handled by KeyCorp include:\n\n     \xef\x82\xb7   Background Investigations. FDIC Circular 1610.2, Personnel Security Policy\n         and Procedures for FDIC Contractors, describes the FDIC\xe2\x80\x99s processes for\n         ensuring that contractors and their personnel meet the FDIC\xe2\x80\x99s minimum\n         standards of integrity and fitness. Generally, these processes consist of\n         conducting preliminary security checks of contractors and their personnel and\n         ordering background investigations from the U.S. Office of Personnel\n         Management (OPM) for contractor personnel with long-term access to FDIC\n         facilities, systems, or sensitive information.3\n\n     \xef\x82\xb7   Confidentiality Agreements. The APM requires authorized contractor\n         representatives and all key contractor personnel to sign confidentiality\n         agreements prior to receiving or collecting sensitive information. The purpose of\n         the agreements is to mitigate the risk of unauthorized disclosure of sensitive\n         information.\n\n     \xef\x82\xb7   Subcontractor Approvals. The Contract states that KeyCorp must obtain the\n         prior written approval of the CO before engaging subcontractors to perform\n         services on behalf of the Corporation. Such approvals are required, in part, to\n         ensure that subcontractors and their personnel meet the FDIC\xe2\x80\x99s minimum\n         standards of integrity and fitness.\n\n     \xef\x82\xb7   Contract Security Provisions. The APM requires that certain security\n         provisions be included in FDIC contracts and subcontracts to safeguard sensitive\n         information and ensure that contractors, subcontractors, and their personnel meet\n         the FDIC\xe2\x80\x99s minimum standards of integrity and fitness.\n\n     \xef\x82\xb7   Security Oversight. The FDIC established the Outsourced Service Provider\n         Assessment Methodology to provide security oversight of outsourced service\n         providers, such as KeyCorp. The methodology considers various security\n         information to establish quantifiable risk ratings and, based on those ratings,\n         defines procedures for verifying security measures and processes.\n\nOur audit included an assessment of the above controls as they pertain to KeyCorp.\n\n\n\n\n3\n  Preliminary security checks consist of such things as fingerprint criminal records checks and reviews of\npersonnel security questionnaires and credit reports. OPM background investigations consist (at a\nminimum) of a National Agency Check with Inquiries, which is a search of federal investigative databases\nmaintained by the Federal Bureau of Investigation and other federal agencies, together with written\ninquiries of employers, educational institutions, law enforcement agencies, and references. The scope of\nOPM background investigations is based on the risk level associated with the duties of the individual.\n\n\n                                                    5\n\x0cAUDIT RESULTS\nThe preponderance of payments made by the FDIC to KeyCorp were adequately\nsupported and were in compliance with the terms of the Contract for the charges that we\nanalyzed. The payment discrepancies that we identified were not material in relation to\nthe total charges that we reviewed and were addressed prior to the close of the audit.\nNotwithstanding these results, the relatively high error rate in our sample indicates that a\nreview by DRR of KeyCorp\xe2\x80\x99s billing procedures is warranted. In addition, invoices\nsupporting the charges that we analyzed had been reviewed and approved by DRR prior\nto payment as prescribed by FDIC policy. However, in light of the large volume of\ncharges and associated documentation, a more risk-based approach for reviewing servicer\ninvoices could promote efficiencies and consistency in DRR\xe2\x80\x99s review processes.\n\nDRR has taken a number of steps to ensure the reliability of data used to manage and\nmarket assets serviced by KeyCorp. However, DRR can achieve greater assurance\nregarding the reliability of such data by establishing and implementing a more structured\ndata quality program that includes such things as objective metrics to measure data\nreliability, enhanced policies and guidance, and improved contract provisions that address\nongoing data reliability.\n\nThe FDIC conducted preliminary security checks and obtained signed confidentiality\nagreements for all of the KeyCorp contractor and subcontractor personnel that we\nreviewed. However, we identified instances in which background investigations had not\nbeen initiated as required by FDIC policy. In addition, the risk level designation for the\nContract needed clarification. Further, KeyCorp did not obtain the FDIC\xe2\x80\x99s prior written\napproval before engaging a subcontractor to work on the Contract or include certain\nsecurity-related provisions in its subcontracts as required by the Contract. Finally, the\nFDIC was working to apply its Outsourced Service Provider Assessment Methodology to\nassess security risks and controls at KeyCorp. Addressing the security control\nweaknesses identified during the audit will increase the FDIC\xe2\x80\x99s assurance that sensitive\ninformation is adequately protected and that contractor and subcontractor personnel\nsatisfy the FDIC\xe2\x80\x99s minimum standards of integrity and fitness.\n\n\nPayments to KeyCorp\nWe used both statistical and non-statistical sampling techniques4 to analyze 44 invoices\nthat had been approved for payment to KeyCorp during the period July 26, 2010 through\nSeptember 30, 2011. Specifically, we determined whether:\n\n     \xef\x82\xb7   the charges on the invoices were allowable under the terms of the Contract;\n\n\n\n4\n  A non-statistical sample is judgmental and cannot be projected to the intended population by standard\nstatistical methods. See Appendix 1 for a detailed description of the sampling methodology used during the\naudit.\n\n\n                                                    6\n\x0c       \xef\x82\xb7   charges pertaining to a non-statistical sample of loans on the invoices were\n           supported by underlying documentation and, for fee invoices, were consistent\n           with the fee rates defined in the Contract; and\n\n       \xef\x82\xb7   DRR personnel had reviewed and approved the invoices prior to payment.\n\nIn addition, we conducted a limited review of two non-statistically selected loans on two\nadditional invoices to determine whether KeyCorp had used the correct collateral type\nand unpaid principal balance amounts when computing monthly servicing fees.\n\nExcept as noted in Table 2, payments made to KeyCorp were adequately supported and\nin compliance with the terms of the Contract for the charges that we analyzed. The\npayment discrepancies that we identified were not material in relation to the total charges\nthat we reviewed and were addressed prior to the close of the audit. Accordingly, we are\nnot making recommendations to address these payment discrepancies. In addition, the\ninvoices supporting servicing fees and pass-through costs had been reviewed and\napproved by the OM prior to payment as prescribed by the APM. A brief description of\neach discrepancy follows the table.\n\nTable 2: Summary of Payment Discrepancies\n                                                                             Amount of\n Item               Description of Discrepancy                    Invoice   (Under) Over\n                                                                  Number      Payment\n   1     Incorrect collateral type used to calculate the loan       345      ($2,330.61)\n         service fee.\n   2     Incorrect collateral type used to calculate the loan       361       ($41.72)\n         service fee.\n   3     Incorrect collateral type and unpaid principal balance     215       $2,257.50\n         amount used to calculate the loan service fee.\n   4     Incorrect unpaid principal balance amount used to          164       $764.56\n         calculate the loan service fee.\n   5     Duplicate payment of legal expenses.                       327      $11,407.32\n                                 Net Overpayment by the FDIC                 $12,057.05\nSource: OIG\xe2\x80\x99s analysis of sampled KeyCorp invoices.\n\nItems 1 and 2\n\nKeyCorp incorrectly billed two non-performing commercial loans as non-mortgage loans\ninstead of mortgage loans. Because the non-performing servicing fee rate for non-\nmortgage loans is lower than for mortgage loans, the FDIC was undercharged by the\namounts listed in Table 2. In researching the discrepancies, KeyCorp determined that\nthese same assets were incorrectly billed on invoices outside of our sample. Specifically,\nthe asset pertaining to Item 1 was billed at the lower rate from February 1, 2011 through\nNovember 30, 2011, resulting in a total underbilling of $23,306.20. In addition, the asset\npertaining to Item 2 was billed at the lower rate from March 31, 2011 through August 15,\n2011, resulting in a total underbilling of $189.12.\n\n\n\n\n                                                  7\n\x0cKeyCorp established FDIC Collateral Review Process procedures that require the\ncompany\xe2\x80\x99s account managers to (1) review loan documentation after it is uploaded into\nKeyCorp\xe2\x80\x99s loan system and (2) enter an appropriate collateral type code (e.g.,\ncommercial mortgage loan, commercial non-mortgage loan) into the loan system. The\ncollateral type codes determine the fee rates used when computing monthly servicing fees\nfor assets in receivership. For both Items 1 and 2, KeyCorp\xe2\x80\x99s account managers either\nmisinterpreted or overlooked documentation indicating that the collateral type code was a\ncommercial mortgage loan.\n\nItems 3 and 4\n\nKeyCorp calculated monthly servicing fees for two assets based on incorrect unpaid\nprincipal balance amounts, resulting in overcharges to the FDIC. Specifically, KeyCorp\nforeclosed on two non-performing mortgage loans but did not reduce the unpaid principal\nbalance amounts on the invoices to reflect the foreclosure sale price until the month after\nthe foreclosure took place. Further, KeyCorp did not change the collateral type on the\ninvoice for one of the assets to a JDC until the month following the foreclosure. Because\nservicing fee rates for mortgage loans are higher than for JDCs, the FDIC was\novercharged.\n\nKeyCorp established FDIC Invoicing procedures for preparing, reviewing, and approving\nservice fee invoices before they are submitted to the FDIC. The procedures require\nKeyCorp\xe2\x80\x99s Investor Reporting group to coordinate with various departments within the\ncompany to obtain supporting documentation for fees billed. For our sampled assets,\nKeyCorp\xe2\x80\x99s account managers provided Investor Reporting with documentation indicating\nthat the loans had been foreclosed, and Investor Reporting included the appropriate\nforeclosure fee on the monthly invoice. However, for one of the assets, KeyCorp\xe2\x80\x99s\nprocedures did not ensure that Investor Reporting adjusted the collateral type of the asset\non the sampled invoice from a mortgage to a JDC. In addition, KeyCorp\xe2\x80\x99s procedures\ndid not ensure that Investor Reporting reduced the unpaid principal balance amount for\neither asset on the sampled invoices to reflect the foreclosure sales proceeds.\n\nItem 5\n\nOn March 31, 2011, nine loans were transferred to KeyCorp from another loan servicer.\nUnder the terms of the transfer, the other servicer was responsible for paying expenses\n(including legal expenses) on the loans through March 31, 2011 and KeyCorp was\nresponsible for paying expenses subsequent to that date. In May 2011, the KeyCorp OM\nauthorized KeyCorp to reimburse a law firm for expenses totaling $11,407 that had been\nincurred between January and March 2011 on the nine loans. The KeyCorp OM advised\nus that the other servicer had not paid the law firm on a timely basis and that it would be\nin the FDIC\xe2\x80\x99s interest to pay the expenses in order to maintain the continuity of the law\nfirm\xe2\x80\x99s work. KeyCorp\xe2\x80\x99s OM indicated that he had advised the other servicer\xe2\x80\x99s OM that\nKeyCorp would pay the legal expenses. However, the other servicer also paid the legal\nexpenses and was reimbursed by the FDIC for the same $11,407. Prior to our audit, the\nlaw firm had not refunded the duplicate payment, nor had the FDIC requested a refund.\n\n\n\n                                             8\n\x0cKeyCorp\xe2\x80\x99s Internal Billing Procedures\n\nAlthough the payment discrepancies that we identified were not material in relation to the\ntotal charges that we reviewed, the error rate in our sample indicates that a review by\nDRR of KeyCorp\xe2\x80\x99s internal procedures for preparing fee invoices is warranted.\nSpecifically, KeyCorp used an incorrect collateral type to calculate the monthly servicing\nfee for 3 (or 7.7 percent) of the 39 loans that we tested and an incorrect unpaid principal\nbalance amount for 2 (or 5.1 percent) of the 39 loans. In addition, these discrepancies\nwere not detected by KeyCorp\xe2\x80\x99s internal control processes. A review of KeyCorp\xe2\x80\x99s\ninternal billing procedures could identify opportunities to mitigate the risk that the types\nof discrepancies identified during the audit go undetected.\n\nFDIC\xe2\x80\x99s Review of KeyCorp\xe2\x80\x99s Invoices\n\nThe APM and the OM and TM Appointment Memoranda establish roles and\nresponsibilities for the review, evaluation, and approval or rejection of contractor\ninvoices. In addition, the TMs that we spoke with were reviewing invoices, providing\nfeedback to the OM, and seeking opportunities to reduce costs and achieve efficiencies,\nsuch as by eliminating unnecessary reporting costs. However, the OM indicated that\nTMs could benefit from guidance that clarifies expectations regarding the review of\ninvoices. Such guidance could, for example, describe:\n\n    \xef\x82\xb7   a more risk-based approach for reviewing servicer invoices that include large\n        amounts of charges and supporting documentation. Given that it may not be\n        practical or cost-beneficial to review every charge on an invoice, an approach\n        that considers dollar amounts, trends, or anomalies that would warrant a closer\n        review may be prudent.\n\n   \xef\x82\xb7    the amount and type of documentation that TMs should maintain to support their\n        review of charges.\n\n   \xef\x82\xb7    when a specialist should be consulted in assessing the reasonableness of costs,\n        such as consulting with the Legal Division regarding legal expenses.\n\nThe TMs that we spoke with generally relied on their experience and professional\njudgment when reviewing invoices. Guidance could promote a more consistent and\nefficient approach to reviewing invoices. The OM also acknowledged that improved\nguidance on reviewing invoices could help to mitigate risks associated with TM turnover\nand varying degrees of experience at the TM level.\n\n\n\n\n                                             9\n\x0cRecommendations\n\nWe recommend that the Director, DRR:\n\n1. Review KeyCorp\xe2\x80\x99s internal billing procedures to determine whether they adequately\n   mitigate the risk that the types of exceptions identified during our audit go\n   undetected. Based on the results of the review, take appropriate steps to ensure that\n   controls pertaining to the accuracy, timeliness, and support for invoices are adequate.\n\n2. Evaluate whether guidance for a more risk-based approach to reviewing servicer\n   invoices is warranted and feasible.\n\n\nControls Related to Data Reliability\nDRR has taken a number of steps to ensure the reliability of data used to manage and\nmarket assets serviced by KeyCorp. However, DRR can achieve greater assurance\nregarding the reliability of such data by establishing and implementing a more structured\ndata quality program that includes such things as objective metrics to measure data\nreliability, enhanced policies and guidance, and improved contract provisions that address\nongoing data reliability.\n\nContractual Requirements for Promoting Data Reliability\n\nDRR included various requirements in the Contract that address data reliability.\nSpecifically, the Contract requires KeyCorp to develop an automated process for\nconverting loans from prior servicer systems and to reconcile the conversions while\nadhering to standard industry requirements for data integrity. The Contract also requires\nKeyCorp to validate the prime interest rate index and other data relevant to the servicing\nof adjustable rate loans within 60 days of conversion and to report the results of the\nreview to the FDIC. During our site visit to KeyCorp in December 2011, representatives\nof the company walked us through their processes for performing automated loan\nconversions and reconciliations and validating interest rates. With respect to ongoing\n(post conversion) data reliability, the Contract requires a Data Quality Report and\nindependent evaluations of the company\xe2\x80\x99s operations by loan servicer rating agencies.5\nAt the time of our audit, DRR had not requested a Data Quality Report from KeyCorp or\ndefined the expected content of the report.\n\nDRR Control Practices for Promoting Data Reliability\n\nAs part of the data conversion process, DRR verifies that selected loan data, such as account\nnumber, account name, and principal balance, have been correctly entered into KeyCorp\xe2\x80\x99s\n\n5\n The Contract requires KeyCorp to provide the FDIC with the results of an independent evaluation of the\ncompany\xe2\x80\x99s operations by one or more loan servicer rating agencies. The results of the most recent\nevaluations available, which included reviews of KeyCorp\xe2\x80\x99s loan setup procedures for ensuring data\nquality, were favorable.\n\n\n                                                   10\n\x0cloan system. DRR also conducts periodic compliance reviews of KeyCorp\xe2\x80\x99s operational and\ncredit activities, which include validation of selected loan data to original source documents.\nIn addition, DRR validates the quality of selected loan data through the use of third-party due\ndiligence contractors prior to loan sales initiatives.\n\nData Discrepancies\n\nAs discussed in the previous finding, we identified discrepancies in key data elements,\nsuch as unpaid principal balance amounts and collateral types, maintained in KeyCorp\xe2\x80\x99s\nsystem of record that resulted in erroneous billings and payments. In addition, as\ndescribed below, we noted discrepancies between the collateral type data element\nreflected in KeyCorp\xe2\x80\x99s records and the asset type data element reflected in the FDIC\nCommunication, Capability, Challenge, and Control system (4C).6 Because the FDIC\nuses the asset type data element in calculating the estimated losses on receivership assets,\nerrors in this data element could affect the accuracy of the FDIC\xe2\x80\x99s loss estimates.7\n\nWe identified 25 assets for which KeyCorp had notified DRR that the asset type data\nelement assigned by the FDIC appeared inconsistent with the collateral type data element\nin KeyCorp\xe2\x80\x99s records. We identified these assets based on a review of the same sample\nof invoices described in the prior finding. In each case, KeyCorp had provided the FDIC\nwith loan file documentation supporting the collateral type for the asset. As reflected in\nTable 3, the asset type data element in 4C had been changed for only 5 of the 25 assets as\nof December 31, 2011.\n\nTable 3: Discrepancies in Asset Type and Collateral Type Data Elements\n\n     Asset Type as               Collateral Type as          Number of           Asset Types\n     Reflected in 4C               Reflected in               Assets            Changed in 4C\n                                KeyCorp\xe2\x80\x99s Records\n     015 - Commercial                  Mortgage                   12                   0\n\n     015 \xe2\x80\x93 Commercial                    JDC                      1                    0\n\n      030 \xe2\x80\x93 Mortgage                     JDC                      1                    0\n\n     031 \xe2\x80\x93 Construction                  JDC                      11                   5\n         Mortgage\n                                        Totals                    25                   5\n\nSource: OIG\xe2\x80\x99s analysis of selected KeyCorp invoices and related asset data in 4C.\n\n\n\n\n6\n  DRR Circular 7210.2 identifies the FDIC\xe2\x80\x99s 4C system as an integrated, end-to-end Web-based application\nthat provides full functionality to support franchise marketing, asset marketing, and asset management.\n7\n  The GAO conducts annual audits of the financial statements of the FDIC\xe2\x80\x99s Deposit Insurance Fund and\nFederal Savings and Loan Insurance Corporation Resolution Fund. Those audits include a review of the\nFDIC\xe2\x80\x99s loss estimates.\n\n\n                                                   11\n\x0cDRR personnel that we spoke with were unable to explain why the asset type data elements\nfor the 20 assets had not been changed. The personnel added that a formal process had not\nbeen established to (1) review discrepancies between the asset type and collateral type data\nelements or (2) assess the need to change the asset type data element when appropriate. At the\nclose of our audit field work, DRR had begun to develop written guidance for reviewing\ndiscrepancies between the asset type and collateral type data elements.\n\nData Reliability Metrics and Controls\n\nFDIC Circular 1301.3, Enterprise Data Management Program, states that the FDIC\xe2\x80\x99s policy\nis to manage all data efficiently and effectively, from a corporate perspective, in part, by\nensuring that data supporting business operations is reliable, accurate, current, useful,\neasily accessible, and available in a timely manner. GAO\xe2\x80\x99s November 1999 publication\nentitled, Standards for Internal Control in the Federal Government, identifies internal\ncontrol activities that organizations can consider implementing to promote accurate and\ncomplete computer-processed data. According to the publication, organizations should\ndesign and implement internal control activities based on related costs and benefits. In\nthis context, organizations may, based on an assessment of risk, determine that data are\nreliable even though they are not error free. DRR took such an approach when it\nestablished its prior Data Quality Program in September 2005 to ensure \xe2\x80\x9chighly reliable\nand accurate data\xe2\x80\x9d within its priority IT systems. Under the prior program, critical data\nelements within DRR\xe2\x80\x99s priority IT systems were considered reliable if they demonstrated\nan accuracy rate of 90 percent or better based on data quality testing. Adopting a similar\napproach with respect to KeyCorp could help DRR determine whether errors identified in\nKeyCorp\xe2\x80\x99s data are within acceptable ranges. It would also facilitate DRR\xe2\x80\x99s ongoing\nefforts to assess the adequacy of data reliability controls, both in the Contract and in\nDRR\xe2\x80\x99s oversight management activities.\n\nDRR Circular 7210.2, Use of 4C for Franchise Marketing, Asset Marketing and Asset\nManagement Activities, dated November 18, 2008, established a data quality\nimprovement process for internally managed assets. However, the circular does not\nreflect DRR\xe2\x80\x99s current business model of relying on servicer systems, rather than the\nFDIC\xe2\x80\x99s 4C system, as the authoritative source of data used to manage and market\nreceivership loans. Consequently, DRR personnel had not implemented the data quality\nimprovement process in Circular 7210.2 for loans serviced by KeyCorp. During our\naudit period, DRR had begun to assess the use of the FDIC\xe2\x80\x99s 4C system in the current\nbusiness environment and whether to modify or rescind Circular 7210.2, as appropriate.\n\nAbsent additional data reliability controls, the FDIC has reduced assurance that data used\nto manage and market receivership commercial loans is reliable. In addition, the FDIC\nmay not be managing corporate data in the most efficient manner by taking full\nadvantage of the various procedures performed by KeyCorp and DRR personnel to\nensure data quality and integrity. In particular, we noted that prior to marketing certain\nreceivership loans serviced by KeyCorp, DRR had contracted with third-party due\ndiligence firms to validate the quality of data that may already have been validated by\nKeyCorp or DRR personnel. Given the significant amount of data and number of parties\ninvolved with receivership assets, including external loan servicers, it is important for the\n\n\n                                             12\n\x0cFDIC to have an integrated approach for ensuring that receivership loan data used to\nfacilitate asset management and marketing decisions are reliable.\n\nRecommendation\n\nWe recommend that DRR:\n\n3. Establish and implement a more structured program for promoting the reliability of\n   receivership data. Such a program should consider the data reliability issues described\n   in this report, such as:\n\n   \xef\x82\xb7   ensuring the accuracy of asset type data,\n   \xef\x82\xb7   updating current policy and guidance to reflect DRR\xe2\x80\x99s use of contractor systems\n       to support asset management and marketing,\n   \xef\x82\xb7   developing objective metrics to measure data reliability, and\n   \xef\x82\xb7   ensuring current and future contracts contain clearly defined provisions for\n       ongoing data reliability.\n\n\nControls Related to Sensitive Information\nThe FDIC conducted preliminary security checks and obtained signed confidentiality\nagreements for all of the KeyCorp contractor and subcontractor personnel that we\nreviewed. However, we identified instances in which OPM background investigations\nhad not been initiated as required by FDIC policy. In addition, KeyCorp did not obtain\nthe FDIC\xe2\x80\x99s prior written approval before engaging a subcontractor to work on the\nContract or include certain security-related provisions in its subcontracts as required by\nthe Contract. Finally, the FDIC was working to apply its Outsourced Service Provider\nAssessment Methodology to assess security risks and controls at KeyCorp.\n\nBackground Investigations and Confidentiality Agreements\n\nWe selected a non-statistical sample of 12 KeyCorp contractor and subcontractor\npersonnel to determine whether the FDIC had initiated an appropriate background\ninvestigation and obtained a signed confidentiality agreement. We found that the FDIC\nconducted preliminary security checks and obtained signed confidentiality agreements for\nall 12 personnel. However, the FDIC had not ordered an OPM background investigation\nfor 3 of the 12 individuals who had access to sensitive receivership loan information, as\nrequired by FDIC policy.\n\nFDIC Circular 1610.2, Personnel Security Policy and Procedures for FDIC Contractors,\nstates that individuals designated as key personnel \xe2\x80\x9cwho will not have direct operational\nduties under the task\xe2\x80\x9d will be subject to an integrity and fitness check prior to contract\naward. Consistent with Circular 1610.2, DOA\xe2\x80\x99s Security and Emergency Preparedness\nSection (SEPS) performed the required integrity and fitness checks and concluded that\n\n\n\n\n                                             13\n\x0cthe checks did not reveal any information that would preclude the individuals from\nobtaining a contract or contract work with the FDIC.\n\nCircular 1610.2 also requires contractor and subcontractor personnel with access to\nsensitive FDIC information to provide the FDIC with a completed Standard Form (SF)\n85P, Questionnaire for Public Trust Positions, and to have an OPM background\ninvestigation commensurate with the risk level of their position. A completed SF 85P is a\nprerequisite for ordering an OPM background investigation. None of the three\nindividuals that we identified as exceptions had submitted a completed SF 85P because\nCircular 1610.2 does not require the form to be submitted as part of the pre-award\nintegrity and fitness check and the OM did not ask these individuals to provide the form\ndue to an oversight. The KeyCorp Project Manager advised us that KeyCorp was not\naware that further investigation of these individuals was needed given the FDIC\xe2\x80\x99s\npreliminary approval prior to contract award. After we brought this matter to DRR\xe2\x80\x99s\nattention, the OM requested that KeyCorp direct the three individuals to complete\nSF 85Ps, and KeyCorp subsequently submitted the forms to the FDIC. Prior to those\nsubmissions, the lack of OPM background investigations for the three individuals\nreduced the FDIC\xe2\x80\x99s assurance that they satisfied the FDIC\xe2\x80\x99s standards for integrity and\nfitness.\n\nRisk Level Designations\n\nOPM background investigations for 9 of the 12 contractor and subcontractor personnel\nthat we reviewed were based on a risk level designation of \xe2\x80\x9cmoderate.\xe2\x80\x9d However,\nSection 7.5.09, Risk Level Designation, of the Contract states that the risk level for\npurposes of conducting background investigations is \xe2\x80\x9chigh.\xe2\x80\x9d We brought this\ndiscrepancy to the attention of DOA contracting and DRR oversight management\nofficials. Subsequent to the close of our field work, the CO advised us that, after\nconsulting with a DRR Information Technology Manager, the Contract would be\nmodified to reduce the required level of background investigation to \xe2\x80\x9cmoderate\xe2\x80\x9d based on\nthe job duties and sensitivity of information to be handled for the Contract. The CO\nindicated that this new risk level should reduce the costs of the background investigations\nrequired by the Contract by as much as $238,000. The CO also indicated that similar\nmodifications would be implemented for the other external loan servicer contracts,\npotentially resulting in significant additional cost savings to the FDIC.8\n\nSubcontractor Approvals\n\nKeyCorp did not obtain prior written approval from the CO before engaging one of its\nthree subcontractors to work on the Contract. Provision 7.5.6-04, Approved\nSubcontractors and Consent to Subcontract, of the Contract requires prior written\napproval by the CO for all subcontractors that perform any of KeyCorp\xe2\x80\x99s responsibilities\nunder the Contract. KeyCorp engaged the subcontractor in June 2011 to perform up to\n\n8\n We did not evaluate the appropriateness of the FDIC\xe2\x80\x99s decision to lower the risk level rating for\nconducting background investigations under the Contract or under other external loan servicer contracts as\npart of the audit.\n\n\n                                                    14\n\x0c100 percent of the document scanning and indexing services under the Contract. In\naddition, KeyCorp personnel informed us that the subcontractor supported KeyCorp\xe2\x80\x99s\nmail room operations and performed other activities that involved access to potentially\nsensitive information, such as check and loan file documentation pertaining to FDIC\nreceiverships. We identified the subcontractor as providing services under the Contract\nduring our December 5, 2011 walkthrough of KeyCorp\xe2\x80\x99s offices in Overland Park,\nKansas.\n\nKeyCorp had not identified the subcontractor under the Contract or included the firm in\nits Subcontracting Plans9 submitted to the FDIC because it considered the subcontractor\nto be a shared resource supporting multiple KeyCorp clients. As such, KeyCorp\ndetermined that the firm would not qualify as a subcontractor under the Contract. As a\nresult, the FDIC did not have the opportunity to assess the subcontractor\xe2\x80\x99s qualifications,\ninitiate background investigations of its employees, or obtain confidentiality agreements\nfrom the firm or its personnel. The CO advised us that KeyCorp was informed on\nDecember 5, 2011, that the subcontractor personnel should discontinue providing\nservices under the Contract until such time as written approval is obtained from the\nFDIC. On December 7, 2011, KeyCorp submitted a revised Subcontracting Plan to the\nFDIC that identified the subcontractor under the Contract. The CO formally approved\nthe subcontractor to provide services under the Contract on May 8, 2012.\n\nContract Security Provisions\n\nWe reviewed two of the three KeyCorp subcontracts and found that KeyCorp did not\ninclude certain provisions related to protecting sensitive information and background\ninvestigations in the subcontracts as required by the Contract. KeyCorp\xe2\x80\x99s Project\nManager was not aware of the requirement to include these provisions in the\nsubcontracts. In addition, as previously noted, KeyCorp did not consider one firm to be a\nsubcontractor for purposes of the Contract. Further, the FDIC\xe2\x80\x99s contract oversight\nactivities did not include a review of KeyCorp\xe2\x80\x99s subcontracts to ensure that they included\nthe required provisions. The lack of the referenced security provisions reduced the\nFDIC\xe2\x80\x99s assurance that subcontractor personnel would protect sensitive information\nconsistent with the FDIC\xe2\x80\x99s policies and that subcontractor personnel satisfied the FDIC\xe2\x80\x99s\nminimum standards of fitness and integrity.\n\nSecurity Oversight\n\nThe FDIC uses its Outsourced Service Provider Assessment Methodology to provide\nsecurity oversight of outsourced service providers, such as KeyCorp. The methodology\nemploys a risk-based approach for addressing security risks and evaluating compliance\nwith security-and privacy-related requirements. It also requires, among other things, that\nthe FDIC complete various security- and privacy-related documents for outsourced\nservice providers.10 At the time of our audit, the FDIC was in the process of applying the\n9\n   Subcontracting Plans identify, among other things, the names and capabilities of subcontractors, the\nrationale for using subcontractors, and a description of the work to be performed by subcontractors.\n10\n   Such documents include an Application Security Assessment, Privacy Threshold Analysis, Security\nSynopsis Statement, and Contract Clause Verification Checklist.\n\n\n                                                     15\n\x0cOutsourced Service Provider Assessment Methodology to KeyCorp. Specifically, the\nFDIC was collecting security-and privacy-related information from KeyCorp and, in\nMarch 2012, conducted a site-visit of KeyCorp\xe2\x80\x99s data center.\n\nIn our 2011 information security evaluation report required by the Federal Information\nSecurity Management Act, we noted that the FDIC\xe2\x80\x99s Division of Information Technology\nwas working with the Corporation\xe2\x80\x99s divisions and offices to identify all of the outsourced\ninformation services (and associated service providers) used by the Corporation.11 Based\non the large number of services and service providers identified through this effort, the\nreport recommended that the FDIC complete the development and implementation of a\nformal strategy that defines a risk-based approach for applying the Outsourced Service\nProvider Assessment Methodology to the FDIC\xe2\x80\x99s inventory of outsourced information\nsystems and services. DRR\xe2\x80\x99s application of the methodology is consistent with that\nstrategy. When complete, the results of the methodology will provide the FDIC with a\ngreater understanding of KeyCorp\xe2\x80\x99s controls and practices for protecting FDIC data and\ncomplying with the security-related provisions of the Contract.\n\nAs a result of our prior recommendation and the FDIC\xe2\x80\x99s ongoing corrective action, we\nare not making a recommendation to address security oversight. Recommendations\nassociated with the other issues we identified related to the controls over sensitive\ninformation follow.\n\nRecommendations\n\nWe recommend that the Director, DRR:\n\n4. Enhance existing controls for ensuring that contractor and subcontractor personnel\n   provide the FDIC with completed SF 85Ps when appropriate.\n\n5. Coordinate with DOA to modify the KeyCorp and other servicer contracts, as\n   appropriate, to reflect a risk-based and cost-effective approach to completing\n   background investigations for contractor and subcontractor personnel.\n\nWe recommend that the Director, DOA:\n\n6. Enhance controls designed to ensure that (a) subcontractors are approved by FDIC\n   contracting personnel prior to providing services under FDIC contracts and\n   (b) subcontracts contain appropriate security provisions.\n\n7. Coordinate with KeyCorp to ensure that all required clauses related to protecting\n   sensitive FDIC information are included in KeyCorp\xe2\x80\x99s subcontracts.\n\n\n\n\n11\n  OIG report entitled, Independent Evaluation of the FDIC\xe2\x80\x99s Information Security Program\xe2\x80\x942011 (AUD-\n12-002), dated October 31, 2011.\n\n\n                                                16\n\x0cCORPORATION COMMENTS AND OIG EVALUATION\nThe Directors, DOA and DRR, provided a joint written response, dated June 19, 2012, to\na draft of this report. The response is presented in its entirety in Appendix 5. In the\nresponse, the Directors concurred with all seven of the report\xe2\x80\x99s recommendations and\ndescribed completed and planned corrective actions to address the recommendations.\n\nSubsequent to the receipt of management\xe2\x80\x99s response, DRR and DOA officials clarified\nactions that will be taken to address two of the report\xe2\x80\x99s recommendations. Specifically, a\nDRR official advised us that, in addition to the completed corrective actions described in\nmanagement\xe2\x80\x99s response to Recommendation 1, DRR plans to review KeyCorp\xe2\x80\x99s internal\nbilling procedures to determine whether they adequately mitigate the risk of the types of\nexceptions identified in this report and recommend enhancements as necessary. DRR\nplans to review KeyCorp\xe2\x80\x99s billing procedures by August 31, 2012. In addition, a DOA\nofficial advised us that, in addition to the planned corrective actions described in\nmanagement\xe2\x80\x99s response to Recommendation 6, DOA is considering additional steps to\npromote awareness among OMs and TMs of the issues described in this report pertaining\nto subcontractor approvals and subcontract security provisions.\n\nBefore finalizing our report, we provided relevant portions of our draft report to KeyCorp\nfor its review and informal comment. In a letter dated May 31, 2012, KeyCorp described\nthe status of completed and planned corrective actions to address the issues described in\nthe report. We considered the information provided by KeyCorp in finalizing our report.\n\nA summary of the Corporation\xe2\x80\x99s corrective actions is presented in Appendix 6. The\ncompleted or planned actions are responsive to the recommendations, and the\nrecommendations are resolved.\n\n\n\n\n                                            17\n\x0c                                                                                 Appendix 1\n\n                      Objective, Scope, and Methodology\n\n\nObjective\n\nOur performance audit objective was to assess (1) the extent to which payments made by\nthe FDIC for services provided by KeyCorp were adequately supported and in\ncompliance with contract terms, (2) the reliability of selected data used to manage and\nmarket assets serviced by KeyCorp, and (3) the adequacy of certain controls over\nsensitive information handled by KeyCorp.\n\nWe conducted this performance audit from October 2011 to May 2012 in accordance\nwith generally accepted government auditing standards. Those standards require that we\nplan and perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objective. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objective.\n\nScope and Methodology\n\nThe scope of this audit included invoices approved for payment to KeyCorp from the\naward of the Contract on July 26, 2010 through September 30, 2011. To achieve the\naudit objectives, we performed the following procedures and techniques:\n\n   \xef\x82\xb7   Reviewed:\n\n         \xef\x82\xb7   The Contract, including modifications and selected task orders.\n\n         \xef\x82\xb7   Applicable FDIC and KeyCorp policies and procedures related to contract\n             oversight, invoicing, data reliability, and protection of sensitive information.\n\n         \xef\x82\xb7   Loan file documentation in KeyCorp\xe2\x80\x99s loan system, which we accessed\n             through KeyCorp\xe2\x80\x99s secure Internet portal.\n\n         \xef\x82\xb7   DRR compliance review reports completed for KeyCorp at the time of our\n             audit.\n\n         \xef\x82\xb7   Third-party review reports of KeyCorp\xe2\x80\x99s operations available at the time of\n             our audit.\n\n   \xef\x82\xb7   Interviewed FDIC personnel with contract oversight or support responsibilities,\n       including the CO, the OM, and various TMs.\n\n   \xef\x82\xb7   Interviewed KeyCorp officials and personnel responsible for contract\n       performance.\n\n\n\n\n                                              18\n\x0c                                                                                        Appendix 1\n\n                       Objective, Scope, and Methodology\n\n     \xef\x82\xb7   Conducted a site visit and performed a walkthrough of the KeyCorp loan\n         servicing facility during the week of December 5, 2011 in Overland Park, Kansas.\n\n     \xef\x82\xb7   Tested a sample of invoices12 to determine whether DRR personnel reviewed and\n         approved the invoices prior to payment and the invoices were for amounts\n         allowed by the Contract. Our sample consisted of:\n\n         \xef\x82\xb7   a statistically random sample of 40 invoices totaling $1,055,578 that were\n             taken from the population of 282 invoices less than $300,000 dated between\n             June 1, 2011 and September 30, 2011 that the FDIC had approved for\n             payment to KeyCorp as of September 30, 2011. The 40 sampled invoices\n             represented 25 percent of the $4,215,291 in invoices less than $300,000\n             approved for payment during that period.\n\n         \xef\x82\xb7   all four invoices of $300,000 or more that the FDIC approved for payment to\n             KeyCorp during the period from Contract award on July 26, 2010 through\n             September 30, 2011. These four invoices totaled $1,543,219, or 13.6 percent,\n             of the $11.4 million approved for payment to KeyCorp through September 30,\n             2011.\n\n     \xef\x82\xb7   Tested a non-statistical sub-sample of 70 loans from the sampled invoices\n         described above to assess the support for the amounts billed.\n\n     \xef\x82\xb7   Reviewed all significant month-end suspense balances to determine whether they\n         had an impact on the service fees billed for the months of March through August\n         2011. We considered the balances to be significant if they were greater than or\n         equal to $500,000, or greater than or equal to $100,000 and outstanding more than\n         30 days.\n\n     \xef\x82\xb7   Tested a non-statistical sample of 25 loans to assess consistency between the\n         collateral type and asset type for the loans. The loans were in the FDIC\xe2\x80\x99s 4C\n         system as of December 31, 2011. In each case, KeyCorp had identified an\n         inconsistency between the FDIC assigned asset type for the loan and the collateral\n         type assigned to the loan based on a review of collateral by KeyCorp.\n\n     \xef\x82\xb7   Tested a non-statistical sample of 12 contractor and subcontractor personnel out\n         of a population of more than 100 personnel who potentially had access to\n\n\n12\n  We sampled from three types of invoices: (1) KeyCorp-prepared invoices for loan servicing fees;\n(2) KeyCorp-prepared invoices for pass-through costs that included, among other things, advances under\nunfunded commitments and advances for the protection of assets; and (3) FDIC-prepared invoices for other\npayments, such as forwarding to KeyCorp principal and interest amounts that had been sent to the FDIC by\nprior servicers.\n\n\n\n                                                  19\n\x0c                                                                              Appendix 1\n\n                    Objective, Scope, and Methodology\n\n       sensitive FDIC information, for evidence of background investigations and signed\n       confidentiality agreements.\n\n   \xef\x82\xb7   Reviewed the narrative for a non-statistical sample of two of the three KeyCorp\n       subcontracts to assess compliance with the provisions of the FDIC\xe2\x80\x99s contract with\n       KeyCorp.\n\nWe used both statistical and non-statistical sampling techniques to support the findings,\nconclusions, and recommendations in this report. However, none of these sampling\ntechniques can be used to project to the intended population by standard statistical\nmethods. We performed the audit work at the FDIC\xe2\x80\x99s offices in Dallas, Texas, and\nKeyCorp\xe2\x80\x99s offices in Overland Park, Kansas.\n\nInternal Control, Reliance on Computer-processed Information, Performance\nMeasurement, and Compliance with Laws and Regulations\n\nConsistent with the stated audit objective, we did not assess the FDIC\xe2\x80\x99s or KeyCorp\xe2\x80\x99s\noverall internal control or management control structure. We relied on information in\nFDIC and KeyCorp information systems and reports and interviews of FDIC and\nKeyCorp personnel to understand and assess the specific internal controls relevant to our\naudit objective. These included controls over the preparation and review of invoices,\ncontrols to ensure the quality and integrity of data, and controls over sensitive\ninformation.\n\nWe obtained data from various FDIC and KeyCorp systems. Where appropriate, we\ncorroborated data obtained from systems that were used to support our audit conclusions\nwith information from various sources, including loan file documents and testimonial\nevidence. However, we determined that specific information system controls were not\nsignificant to the audit objective and, therefore, we did not evaluate the effectiveness of\ninformation system controls.\n\nThe Government Performance and Results Act of 1993 (the Results Act) directs\nExecutive Branch agencies to develop a customer-focused strategic plan, align agency\nprograms and activities with concrete missions and goals, and prepare and report on\nannual performance plans. We did not assess the strengths and weaknesses of the FDIC\xe2\x80\x99s\nannual performance plan in meeting the requirements of the Results Act because such an\nassessment was not part of the audit objective.\n\nA wide range of potential risks for fraud exists with any contract. Fraud risks related to\nthis audit included false claims by the contractor whose expenses are passed through to\nthe FDIC, or duplicate claims by or payments to KeyCorp. We assessed the risk of fraud\nand abuse related to our objective in the course of evaluating audit evidence.\n\n\n\n\n                                            20\n\x0c                                                                           Appendix 1\n\n                    Objective, Scope, and Methodology\n\nPrior Audit Coverage\n\nWe considered prior audit coverage of areas related to our audit objective, including the\nreport entitled, Independent Evaluation of the FDIC\xe2\x80\x99s Information Security Program\xe2\x80\x94\n2011, dated October 31, 2011. In that report, the OIG noted that the FDIC had developed\na methodology for addressing security risks associated with contractor systems and\nassessing contractor compliance with security-and privacy-related contract requirements.\nHowever, the report concluded that work remained to implement the methodology and\nrecommended that the FDIC complete the development and implementation of a formal\nstrategy that defines a risk-based approach for applying the methodology.\n\n\n\n\n                                           21\n\x0c                                                                              Appendix 2\n\n                   Monetary Benefits Terms and Results\n\nThe Inspector General Act of 1978, as amended, (1) defines the terminology associated\nwith monetary benefits identified by auditors and (2) establishes the reporting\nrequirements for the identification and disposition of questioned costs in audit reports. In\naddition, the explanations provided below indicate that the process for actual recovery of\nquestioned costs involves various stages, evaluations of factors, and decision-making\nprocesses. The following defines the key terms associated with monetary benefits and\nexplains how they relate to each other.\n\n   \xef\x82\xb7   First, auditors may identify \xe2\x80\x9cquestioned costs\xe2\x80\x9d based on an alleged violation of a\n       provision of a law, regulation, contract, grant, cooperative agreement, or other\n       agreement or document governing the expenditure of funds. In addition, a\n       questioned cost may be a finding in which, at the time of the audit, a cost is not\n       supported by adequate documentation (i.e., unsupported questioned cost); or a\n       finding that the expenditure of funds for the intended purpose is unnecessary or\n       unreasonable. It is important to note that the OIG does not always expect to\n       recover 100 percent of all questioned costs.\n\n   \xef\x82\xb7   The next step in the process of making a decision about questioned costs is a\n       \xe2\x80\x9cmanagement decision.\xe2\x80\x9d This is the final decision issued by management after\n       evaluating the finding(s) and recommendation(s) included in an audit report. The\n       management decision must specifically address the questioned costs by either\n       disallowing or not disallowing these costs. A \xe2\x80\x9cdisallowed cost\xe2\x80\x9d is a questioned\n       cost that management, in a management decision, has sustained or agreed should\n       not be charged to the government.\n\n   \xef\x82\xb7   Once management has disallowed a cost and, in effect, sustained the auditor\xe2\x80\x99s\n       questioned costs, the last step in the process takes place which culminates in the\n       \xe2\x80\x9cfinal action.\xe2\x80\x9d This is the completion of all actions that management has\n       determined are necessary to resolve the findings and recommendations included\n       in an audit report. Typically, in the case of disallowed costs, management will\n       evaluate factors beyond the conditions in the audit report, such as qualitative\n       judgments of value received or the cost to litigate, and decide whether it is in the\n       FDIC\xe2\x80\x99s best interest to pursue recovery of disallowed costs.\n\nAs indicated on the next page, a total of $12,057.05 in questioned costs were identified\nduring this audit.\n\n\n\n\n                                            22\n\x0c                                                                               Appendix 2\n\n              Monetary Benefits Terms and Results\n\n Monetary Benefits\n\n Questioned Costs Description                                     Questioned Costs\n\n\n Incorrect Loan Service Fee Payments                                        $649.73\n Duplicate Payment of Pass-Through Cost                                  $11,407.32\n\n\n Total Amount of Questioned Costs                                        $12,057.05\n\nSource: OIG\xe2\x80\x99s analysis of invoices as described in this report.\n\n\n\n\n                                            23\n\x0c                                                                                   Appendix 3\n\n                                 Glossary of Terms\n\n      Term                                           Definition\nBackground          Includes various types of investigations conducted by OPM for the FDIC.\nInvestigation       All contractor personnel with long-term access to FDIC facilities,\n                    information technology systems, or sensitive information must undergo an\n                    OPM background investigation commensurate with the designated risk\n                    level associated with the duties of each position.\n\nCommercial          A credit initiated for business purposes that may be secured or unsecured.\nLoan                Security for commercial loans may include, among other things, accounts\n                    receivable, equipment, inventory, real estate properties, or a combination of\n                    assets.\n\nContracting         The FDIC representative with delegated authority to enter into and legally\nOfficer             bind, administer, and terminate contractual instruments on behalf of the\n                    FDIC.\n\nContractor          An individual, corporation, partnership, joint-venture, or other third-party\n                    entity that enters into a contract with the FDIC to provide goods, services,\n                    or other requirements pursuant to its terms and conditions.\n\nFee Invoices        Invoices that include servicing fees based on a loan\xe2\x80\x99s unpaid principal\n                    balance, collateral type, performance status; loss mitigation fees for\n                    activities such as compromises and restructures; foreclosure fees; and report\n                    preparation fees.\n\nJudgments,          A judgment is a court ruling entered for or against a party in litigation,\nDeficiencies, and   usually for an unpaid amount due from a debtor. A deficiency is the\nCharge-Offs         remaining amount owed by a borrower when a foreclosure sale does not\n                    produce sufficient funds to pay a mortgage debt in full. A charge-off\n                    represents the uncollectable portion of a loan.\n\nKey Personnel       Contractor personnel deemed essential and critical to the performance of the\n                    contract and who are contractually required to perform by the Key\n                    Personnel contract clause.\n\nOutsourced          A methodology developed by the FDIC that provides a risk-based process\nService Provider    for addressing security risks associated with contractor systems and\nAssessment          assessing contractor compliance with security-and privacy-related\nMethodology         requirements.\n\nPass-Through        Generally these costs include expenditures that satisfy unfunded loan\nCosts               commitments, such as construction advances, or that protect the FDIC\xe2\x80\x99s\n                    interest in an asset, such as legal fees, property taxes, and insurance.\n\nRisk Level          An evaluative classification designation assigned to contracts or contract\n                    labor categories based on duties performed that have the potential for\n\n\n                                              24\n\x0c                                                                                Appendix 3\n\n                             Glossary of Terms\n\n     Term                                          Definition\n                affecting the integrity, efficiency, and/or effectiveness of the Corporation\xe2\x80\x99s\n                mission, and when misused, may diminish public confidence.\n\nSensitive       Any information, the loss, misuse, or unauthorized access to or modification\nInformation     of which, could adversely impact the interests of the FDIC in carrying out\n                its programs or the privacy to which individuals are entitled.\n\nSubcontractor   An individual, corporation, partnership, joint-venture, or other third-party\n                entity that has entered into a contract with an FDIC contractor to perform\n                work on behalf of the FDIC.\n\n\n\n\n                                           25\n\x0c                                                                    Appendix 4\n\n                             Acronyms\n\n4C       Communication, Capability, Challenge, and Control system\nAPM      Acquisition Policy Manual\nCO       Contracting Officer\nDOA      Division of Administration\nDRR      Division of Resolutions and Receiverships\nGAO      United States Government Accountability Office\nJDC      Judgments, Deficiencies, and Charge-offs\nOIG      Office of Inspector General\nOM       Oversight Manager\nOPM      Office of Personnel Management\nSEPS     Security and Emergency Preparedness Section\nSF 85P   Standard Form 85P\nTM       Technical Monitor\n\n\n\n\n                                   26\n\x0c                                                                                   Appendix 5\n                    Corporation Comments\n_____________________________________________________________\n\n\n\n\n1601 Bryan Street, Dallas, TX 75201                                                   Dallas Regional Office\n\n\n  DATE:                               June 19, 2012\n\n MEMORANDUM TO:                       Stephen M. Beard\n                                      Deputy Inspector General for Audits and Evaluations\n\n FROM:                                Arleas Upton Kea, Director /Signed/\n                                      Division of Administration\n\n                                      Bret D. Edwards, Director /Signed/\n                                      Division of Resolutions and Receiverships\n\n SUBJECT:                             Management Response to the Draft OIG Audit Report Entitled,\n                                      Controls Related to the FDIC\xe2\x80\x99s Contract with KeyCorp Real\n                                      Estate Capital Markets, Inc. (Assignment No. 2011-087)\n\n  This is in response to the subject Draft Office of Inspector General (OIG) Audit Report, issued\n  May 16, 2012. In its report, the OIG made two recommendations to the Division of\n  Administration (DOA) and five recommendations to the Division of Resolutions and\n  Receiverships (DRR).\n\n  MANAGEMENT DECISION\n\n  Recommendation 1 (DRR): Review KeyCorp\xe2\x80\x99s internal billing procedures to determine\n  whether they adequately mitigate the risk that the types of exceptions identified during our audit\n  go undetected. Based on the results of the review, take appropriate steps to ensure that controls\n  pertaining to the accuracy, timeliness, and support for invoices are adequate.\n\n  DRR Management Response: DRR concurs with the recommendation.\n\n  Corrective Action: It should be noted that all billing discrepancies noted in this audit have been\n  resolved. KeyCorp has reimbursed the corporation the sum of $l2,057.05 as of February 9, 2012.\n  A more enhanced process has been implemented by KeyCorp to review the Asset Types (AT)\n  against the loan documents at conversion from the receiverships. Any and all discrepancies\n  identified are submitted by KeyCorp to the Oversight Manager (OM) and the Accounting\n  Technical Monitor (TM) for approval to change. Also, KeyCorp has enhanced its quality control\n  process to ensure the unpaid principal balances are correct where multiple fees may be\n  applicable. To avoid duplicate billing issues between the loan servicer and the receivership or\n  another loan servicer. KeyCorp has incorporated in the conversion calls the discussion on\n  handling expenses pre-conversion and post-conversion. Additionally, KeyCorp is posting all loan\n  balances immediately as it relates to foreclosures where multiple fees would be assessed\n\n  Completion date: April 30, 2012\n\n\n\n                                                  27\n\x0c                       Appendix 5\n\nCorporation Comments\n\n\n\n\n         28\n\x0c                       Appendix 5\n\nCorporation Comments\n\n\n\n\n         29\n\x0c                       Appendix 5\n\nCorporation Comments\n\n\n\n\n         30\n\x0c                                                                                  Appendix 6\n\n             Summary of the Corporation\xe2\x80\x99s Corrective Actions\n\n\n This table presents corrective actions taken or planned by the Corporation in response to the\n recommendations in the report and the status of the recommendations as of the date of report\n issuance.\n\nRec.    Corrective Action: Taken or            Expected          Monetary   Resolved:a   Open or\nNo.               Planned                    Completion Date     Benefits   Yes or No    Closedb\n\n 1     All billing discrepancies noted in   August 31, 2012      $12,057    Yes          Open\n       this report have been resolved.\n       In addition, KeyCorp enhanced\n       its processes for ensuring the\n       accuracy of asset types and\n       unpaid principal balance\n       amounts; took steps to mitigate\n       the risk of duplicate payments;\n       and began posting loan balances\n       immediately for foreclosures.\n\n       A DRR official also advised us\n       that DRR will review KeyCorp\xe2\x80\x99s\n       internal billing procedures to\n       determine whether they\n       adequately mitigate the risk of\n       the types of exceptions identified\n       in this report and recommend\n       enhancements as necessary.\n 2     DRR will assess its current          September 30, 2012              Yes          Open\n       procedures for reviewing\n       monthly invoices to determine\n       whether a more risk-based\n       approach is feasible.\n 3     DRR has implemented a formal         October 31, 2012                Yes          Open\n       process to identify exceptions\n       and update asset types, and\n       developed a 4C data integrity\n       program. Additionally, DRR is\n       nearing completion of the\n       standardized loan data structure\n       project, which has recommended\n       modifying the servicer\xe2\x80\x99s\n       Statement of Work to require the\n       loan servicers to validate system\n       data. In addition, DRR will\n       enhance its semi-annual audit\n       program to conduct an expanded\n       review of data fields deemed\n       critical.\n\n\n\n                                                 31\n\x0c                                                                                        Appendix 6\n\n              Summary of the Corporation\xe2\x80\x99s Corrective Actions\n\n4       DRR implemented a monthly            September 30, 2012                   Yes            Open\n        verification process in\n        coordination with FDIC\n        Personnel Security Management\n        to ensure that SF 85Ps are\n        obtained from contractor\n        personnel when appropriate. In\n        addition, a procedural\n        memorandum will be developed\n        for OMs to provide guidance in\n        monitoring personnel changes on\n        loan servicing contracts.\n5       DRR, in coordination with DOA,       June 7, 2012                         Yes            Closed\n        lowered the risk level ratings of\n        all loan servicing contracts from\n        high to moderate.\n6       DOA will revise the OM and           September 25, 2012                   Yes            Open\n        TM Appointment Memoranda to\n        reference to the requirement for\n        subcontractor approvals and\n        revise the Post-award\n        Conference Agenda to address\n        subcontractor security\n        provisions. A DOA official also\n        advised us that DOA is\n        considering additional steps to\n        promote awareness among OMs\n        and TMs of the issues pertaining\n        to subcontractor approvals and\n        subcontract security provisions.\n7       DOA will request a copy of each      August 15, 2012                      Yes            Open\n        KeyCorp subcontract to verify\n        that all required clauses have\n        been included.\na\n    Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned, ongoing, and completed\n                   corrective action is consistent with the recommendation.\n               (2) Management does not concur with the recommendation, but alternative action meets the\n                   intent of the recommendation.\n               (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0)\n                   amount. Monetary benefits are considered resolved as long as management provides an\n                   amount.\nb\n  Recommendations will be closed when (a) Corporate Management Control notifies the OIG that corrective\nactions are complete or (b) in the case of recommendations that the OIG determines to be particularly\nsignificant, when the OIG confirms that corrective actions have been completed and are responsive.\n\n\n\n\n                                                   32\n\x0c'